‘Magic’ Ransomware Is Based On Open-Source Code

Uploaded on 2017-01-18 in NEWS-Cybersecurity News, GOVERNMENT-Law Enforcement, FREE TO VIEW

A new ransomware based on open-source code has been spotted in the wild and it encrypts user files and ads ‘.magic’ extension to them, researchers warn.

Dubbed "Magic, the malware is based on open-source ransomware called eda2, which was created for educational purposes. The Magic Ransomware was created in C# and the masterminds behind it currently demand 1 Bitcoin from users looking to regain access to their data.

Ransomware has become a highly rewarding business for cyber-criminals, with some interested in building their own malware.

Adopting open-source ransomware is a fast way to do that, and the Magic ransomware is proof that perpetrators would do whatever it takes to achieve their nefarious goals.

Magic is the second ransomware discovered this month to have been built upon ransomware created for educational purposes. Recently, Trend Micro discovered that a newly created threat called Ransom_Cryptear.B was based on another educational ransomware publicly available, namely Hidden Tear, which was released as open source in August 2015 by Turkey-based hacker Utku Sen.

Hidden Tear code was used in other malware as well, including Linux.Encoder, which was discovered back in November to pack an encryption flaw that allowed researchers to crack its encryption algorithm.

Recently, Utku Sen said that he managed to break the encryption of Cryptear.B because he intentionally weakened the encryption in Hidden Tear fearing that cybercriminals might abuse it.

Based on the eda2 ransomware kit, the newly discovered Magic malware appears to be the work of low-skilled hackers, Bleeping Computer’s Lawrence Abrams explains in a blog post.

However, the kit includes all necessary code, ranging from ransomware executable to encryption algorithm and PHP web panel used as a Command & Control (C2) server for storing the encryption keys of victims.

Researchers haven’t yet established how Magic is being distributed, but assume manual distribution via hacked terminals services or remote desktop.

The ransomware stores the AES keys used to encrypt files on the C2 servers, but also uses an RSA public key to encrypt them before sending them to the server.

Because the actors using the Magic ransomware are not advanced enough, they use C2 servers hosted on free web sites services, which means that they can be easily taken down.

However, there’s a risk that the free web hosting provider may delete the decryption key databases before security researchers could access them, meaning that victims lose the ability to retrieve their keys.

The ransomware is capable of encrypting a wide array of file extensions and appends the .magic extension to any encrypted file, but it won’t encrypt files located in directories that contain the string $, C:\Windows, or c:\program. After completing the encryption process, it creates the deleteMyProgram.bat batch file and execute it, an operation that uses vssadmin.exe to clear the victim's Shadow Volume Copies and then delete the malware executable.

The ransomware also places ransom notes on the desktop, providing victims with information on what has happened and on what they need to do to decrypt their files.

The actors behind the ransomware use a static bitcoin payment address, which has had no payments sent to it as of yet.

Security Week:     Ransom Worm: The Next Level Of Cybersecurity:    Europol Warning: Crypto-Ransomware Threat:

 

« Drone Warriors Of The US Air Force
2017: Cybersecurity At A Turning Point »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

D-RisQ

D-RisQ

D-RisQ is focussed on delivering techniques to reduce the development costs of complex systems and software whilst maximising compliance

CyberPolicy

CyberPolicy

CyberPolicy is a cyber protection solution for small businesses. It combines three important components against cyber threats - Cyber Plan, Cybersecurity and Cyber Insurance.

IntelliGO Networks

IntelliGO Networks

IntelliGO Networks is a cybersecurity company focused on Managed Detection and Response (MDR).

Atomicorp

Atomicorp

Atomicorp, the leader in Secure Linux, is a developer of solutions for the protection and support of cloud, virtual, shared, and dedicated web hosting environments.

Smoothwall

Smoothwall

Smoothwall develop intelligent web filtering, Monitoring and security solutions designed to protect users worldwide.

Sonda

Sonda

SONDA is the leading systems integrator and IT service provider in Latin America.

CyberFortress

CyberFortress

CyberFortress is an insuretech startup offering a new kind of online business interruption policy designed for small business.

National Cryptologic Foundation (NCF)

National Cryptologic Foundation (NCF)

The National Cryptologic Foundation strives to influence the cryptologic future by sharing our educational resources, stimulating new knowledge, and commemorating our heritage.

Mailinblack

Mailinblack

Mailinblack protects your organisation against email threats with an innovative solution that meets your security requirements.

OpsHelm

OpsHelm

OpsHelm provides a Software-as-a-Service solution to help businesses ensure that all of their cloud environments have their security bases covered.

Single Point of Contact

Single Point of Contact

Single Point of Contact is a Managed IT Services provider that helps businesses to achieve a seamless and secure IT environment.

Cyber Capital Partners

Cyber Capital Partners

Cyber Capital Partners build strategic and financial partnerships with small and mid-sized cybersecurity companies in highly regulated markets.

CYBHORUS

CYBHORUS

CYBHORUS are a team of Italian cyber security experts, specialized in cyber threat defense and strategic and organizational consulting.

Astran

Astran

At Astran, we revolutionize data security by introducing a groundbreaking solution for data confidentiality headaches.

Nothreat

Nothreat

Nothreat has revolutionized how businesses like yours protect themselves from damaging cyber attacks. Our tech learns and adapts in real time, protecting clients from even zero-day attacks.

LEPHISH

LEPHISH

LePhish is a French cybersecurity solution specializing in automated phishing campaigns.